<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>XSSdemo</title>
</head>
<script>
    eval(decodeURI(location.hash.substr(1)))
</script>
<body>
    <h2>xxs攻击</h2>
</body>
</html>